codechecker

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy

APACHE-2.0 License

Downloads
16.2K
Stars
2.1K
Committers
111
View Code on GitHub Visit Website
Ecosystems: Docker, Objective-C, C++, LLVM, Vue.js, Linux, C, macOS

Bot releases are visible (Hide)

codechecker - v6.23.1 Latest Release

Published by bruntib 10 months ago

What's Changed

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.23.0...v6.23.1

codechecker - v6.23.0

Published by cservakt 11 months ago

🌟 Highlights

GCC Static Analyzer support

We are happy to announce that CodeChecker added native support for the GCC Static Analyzer! This analyzer checks code in the C family of languages, but its latest release at the time of writing is still best used only on C code. Despite it being a bit immature for C++, we did some internal surveys where the GCC Static Analyzer seemed to be promising.

We expect this analyzer to be slower than clang-tidy, but faster than the Clang Static Analyzer. You can enable it by adding --analyzers gcc to your CodeChecker check or CodeChecker analyze commands. For further configuration, check out the GCC Static Analyzer configuration page.

GNU GCC 13.0.0. (the minimum version we support) can be tricky to obtain and to make CodeChecker use it, as CodeChecker looks for the g++ binary, not g++-13. As a workaround, you can set the environmental variable CC_ANALYZER_BIN which will make CodeChecker use the given analyzer path (e.g. CC_ANALYZER_BIN="gcc:/usr/bin/g++-13"). You can use CodeChecker analyzers to check whether you have the correct binary configured.

You can enable gcc checkers by explicitly mentioning them at the analyze command e.g.

CodeChecker analyze -e gcc

gcc checkers are only added to the exterme profile. After evaluation, some checkers may be added to other profiles too.

Under the same breath, we added partial support for the SARIF file format (as opposed to using plists) to report-converter, with greater support planned for future releases.

Review status config file

In previous CodeChecker versions, you could set the review status of a report using two methods: using in-source comments, or setting a review status rule in the GUI. The former sets the specific report's review status, the latter sets all matching reports' review status.

This release introduces a third way, a review status config file! One of the motivations behind this is that we wanted to have a way to set review statuses on reports in specific directories (which was not possible on the GUI). CodeChecker uses a YAML config file that can be set during analysis:

$version: 1
rules:
  - filters:
      filepath: /path/to/project/test/*
      checker_name: core.DivideZero
    actions:
      review_status: intentional
      reason: Division by zero in test files is automatically intentional.

  - filters:
      filepath: /path/to/project/important/module/*
    actions:
      review_status: confirmed
      reason: All reports in this module should be investigated.

  - filters:
      filepath: "*/project/test/*"
    actions:
      review_status: suppress
      reason: If a filter starts with asterix, then it should be quoted due to YAML format.

  - filters:
      report_hash: b85851b34789e35c6acfa1a4aaf65382
    actions:
      review_status: false_positive
      reason: This report is false positive.

This is how you can use this config file for an analysis:

CodeChecker analyze compile_commands.json --review-status-config review_status.yaml -o reports

The config file allows for a great variety of ways to match a report and set its review status. For further details see this documentation.

Enable/disable status of checkers

In this release the unknown Checker status has been eliminated. CodeChecker will enable only those checkers that are either present in the default profile (see CodeChecker checkers --profile default) or enabled using the --enable argument (through another profile or explicitly through a checker name).

In previous CodeChecker versions, when you ran an analysis, we assigned three states to every checker: it's either enabled, disabled, or neither (unknown). We kept the third state around to give some leeway for the analyzers to decide which checkers to enable or disable, usually to manage their checker dependencies. We now see that this behavior can be (and usually is) confusing, party because it's hard to tell which checkers were actually enabled.

You can list the checkers enabled by default using the CodeChecker checkers command:

CodeChecker 6.22.0 output:
 
CodedeChecker checkers |grep clang-diagnostic-varargs -A7
clang-diagnostic-varargs
  --> Status: unknown <---
  Analyzer: clang-tidy
  Description:
  Labels:
    doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wvarargs
    severity:MEDIUM
 
=>
CodeChecker 6.23.0 output:
 
CodeChecker checkers |grep clang-diagnostic-varargs -A7
clang-diagnostic-varargs
  ---> Status: disabled <---
  Analyzer: clang-tidy
  Description:
  Labels:
    doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wvarargs
    severity:MEDIUM

Major fixes to run/tag comparisons (diff)

Following a thorough survey, we identified numerous areas to improve on our run/tag comparisons. We landed several patches to improve the results of diffs both on the CLI and the web GUI (which should be almost always identical). Despite that this feature has the appearance of a simple set operation, diff is a powerful tool that can express a lot of properties on the state of your codebase, and has a few intricacies. For this reason, we also greatly improved our docs around it.

A detailed description of the issues are described in this ticket: https://github.com/Ericsson/codechecker/issues/3884

One example is that the if the suppression was removed for a finding, the diff did not show the reappearing result as new (in local/local diff):

// Code version 1:
void c() {
  int i = 0; // deadstore, this value is never read
  // codechecker_suppress [all] SUPPRESS ALL
  i = 5;
}


// Code version 2 (suppression removed):

void c() {
  int i = 0; // deadstore, this value is never read
  i = 5;
}

CodeChecker diff -b version1.c -n version2.c --new 
Did not show the deadstore finding as new.

Web GUI improvements

We landed several patches to improve the readability and usability of the GUI, with more improvements to come in later releases! The currently selected event's visual highlight pops a little more now in the report view, and we no longer show unused columns in the run view.

In this image, you can see how much the selected event "pops" after this release, and also, how other events' opacity was a lowered a bit, which allows arrows to be seen through them.
image

  1. In the report detail page, outstanding and closed issues are clearly organized into a left tree view. So it will be easier to see which report needs more attention (fixing or triaging).

image

Report limit for storing to the server

Especially in the case of clang-tidy, we have observed some unreasonable number of reports by certain checkers. In some instances, we saw hundreds of thousands (!) of reports reported by some individual checkers, and its more than unlikely that anyone will inspect these reports individually (you probably got the message about using parantheses around macros after the first 15 000 reports).

We found that these checkers were usually enabled by mistake, and put unnecessary strain both on the storage of results to the server, and on the database once stored. Moving forward, CodeChecker servers will reject stores of runs that have more than 500 000 reports. This limit is a default value that you can change or even set to unlimited. Our intent is not to discourage legitemately huge stores, only those that are whose size is likely this large by mistake.

When creating a new product called My product at endpoint myproduct, you can set the report limit from the CLI with the following invocation:

CodeChecker cmd products add -n "My product" --report-limit 1000000 myproduct

For an already existing product, you can change the limit by clicking the pencil at the products page:
image
image

❗ Backward incompatible changes

  • [analyzer] Promote the missing analyzer warning to an error #3997
    • If analyzers are specified with --analyzers flag and one of them is missing, CodeChecker now emits an error.
    • Previously, the user could only specify the analyzers without version number e.g.: CodeChecker analyze compile_commands.json -o reports --analyzers clangsa
    • Now, you can also validate the analyzer's version number e.g.: CodeChecker analyze compile_commands.json -o reports --analyzers clangsa==14.0.0
    • In both cases, if a wrong analyzer was given, the system exit would trigger.

--all and --details were deprecated for CodeChecker analyzers

With the introduction of the GCC Static Analyzer, we think that the --all flag was more confusing than useful -- its a reasonable assumption that any system will have a version of GCC available. The default behaviour prior to this release was to only list analyzers that were available for analysis: the binary was found, met the version criteria, and was functional. The --all flag listed all supported analyzers, even if they were not available. We changed the default behaviour to always list all supported checkers, and --all is ignored. We emit helpful warnings for analyzers that CodeChecker supports, but can't analyze with.

--details could be used to print additional version information of the binary, but we didn't feel like it provided any value above what the non-detailed query gave, and it was impossible to pretty print. After this release, this flag will also be ignored.

πŸ› Analyzer improvements

πŸ’» CLI/Server improvements

🌳 Environment

πŸ“– Documentation updates

πŸ”¨ Other

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.22.2...v6.23.0

codechecker - 6.23.0-rc2

Published by vodorok 11 months ago

The following changes and fixes were made since v6.23.0-rc1

GCC Static Analyzer Related Changes:

Fixed the SARIF file location according to the GCC documentation.
Changed GCC's output format to sarif-stderr.
Temporarily ignored compiler warnings in GCC.

πŸ› Analyzer Improvements:

Replaced the multiprocessing library with multiprocess. This resolved issues in multiprocess library usage on different platforms but mostly on OSX. Added in https://github.com/Ericsson/codechecker/pull/4076

Fixing a crash when CC_ANALYZERS_FROM_PATH env variable is set in https://github.com/Ericsson/codechecker/pull/4084

Corrected a bug about the --enable-all flag not disabling specific warnings.
Fixed non-determinism in the appearance of clang-tidy checkers.
Prevented duplicate addition of extra arguments in cppcheck.
Resolved an issue with the AnalyzerContext lazy initialization.

πŸ’» Server/GUI Updates:

An error was fixed when loading the report in the report view that caused the review status dropdown menu's value to fail to update when switching to a report with a different status. Fixed in in https://github.com/Ericsson/codechecker/pull/4082

CI Configuration

The issue with building ReadTheDocs has been rectified. You can view the latest docs here: https://codechecker.readthedocs.io/en/latest/
In addition, we have implemented modifications to the PyPI action in order for a more reliable package publishing

πŸ”¨ Other:

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.23.0-rc1...v6.23.0-rc2

codechecker - v6.23.0-rc1

Published by bruntib 12 months ago

🌟 Highlights

GCC Static Analyzer support

We are happy to announce that CodeChecker added native support for the GCC Static Analyzer! This analyzer checks code in the C family of languages, but its latest release at the time of writing is still best used only on C code. Despite it being a bit immature for C++, we did some internal surveys where the GCC Static Analyzer seemed to be promising.

We expect this analyzer to be slower than clang-tidy, but faster than the Clang Static Analyzer. You can enable it by adding --analyzers gcc to your CodeChecker check or CodeChecker analyze commands. For further configuration, check out the GCC Static Analyzer configuration page.

GNU GCC 13.0.0. (the minimum version we support) can be tricky to obtain and to make CodeChecker use it, as CodeChecker looks for the g++ binary, not g++-13. As a workaround, you can set the environmental variable CC_ANALYZER_BIN which will make CodeChecker use the given analyzer path (e.g. CC_ANALYZER_BIN="gcc:/usr/bin/g++-13"). You can use CodeChecker analyzers to check whether you have the correct binary configured.

You can enable gcc checkers by explicitly mentioning them at the analyze command e.g.

CodeChecker analyze -e gcc

gcc checkers are only added to the exterme profile. After evaluation, some checkers may be added to other profiles too.

Under the same breath, we added partial support for the SARIF file format (as opposed to using plists) to report-converter, with greater support planned for future releases.

Review status config file

In previous CodeChecker versions, you could set the review status of a report using two methods: using in-source comments, or setting a review status rule in the GUI. The former sets the specific report's review status, the latter sets all matching reports' review status.

This release introduces a third way, a review status config file! One of the motivations behind this is that we wanted to have a way to set review statuses on reports in specific directories (which was not possible on the GUI). CodeChecker uses a YAML config file that can be set during analysis:

# review_status.yaml

- filepath_filter: /path/to/project/test/*
  checker_filter: core.DivideZero
  message: Division by zero in test files is automatically intentional.
  review_status: intentional
- filepath_filter: /path/to/project/important/module/*
  message: All reports in this module should be investigated.
  review_status: confirmed
- filepath_filter: "*/project/test/*"
  message: If a filter starts with asterix, then it should be quoted due to YAML format.
  review_status: suppress
- report_hash_filter: b85851b34789e35c6acfa1a4aaf65382
  message: This report is false positive.
  review_status: false_positive

This is how you can use this config file for an analysis:

CodeChecker analyze compile_commands.json --review-status-config review_status.yaml -o reports

The config file allows for a great variety of ways to match a report and set its review status. For further details see this documentation.

Enable/disable status of checkers

In previous CodeChecker versions, when you ran an analysis, we assigned three states to every checker: it's either enabled, disabled, or neither (unknown). We kept the third state around to give some leeway for the analyzers to decide which checkers to enable or disable, usually to manage their checker dependencies. We now see that this behavior can be (and usually is) confusing, party because it's hard to tell which checkers were actually enabled.
In this release the unknown status has been eliminated, and we deal with dependencies using other means. Moving on, CodeChecker will enable only those checkers that are either present in the default profile (see CodeChecker checkers --profile default) or enabled using the --enable argument.

Major fixes to run/tag comparisons (diff)

Following a thorough survey, we identified numerous areas to improve on our run/tag comparisons. We landed several patches to improve the results of diffs both on the CLI and the web GUI (which should be almost always identical). Despite that this feature has the appearance of a simple set operation, diff is a powerful tool that can express a lot of properties on the state of your codebase, and has a few intricacies. For this reason, we also greatly improved our docs around it.

Web GUI improvements

We landed several patches to improve the readability and usability of the GUI, with more improvements to come in later releases! The currently selected event's visual highlight pops a little more now in the report view, and we no longer show unused columns in the run view.

In this image, you can see how much the selected event "pops" after this release, and also, how other events' opacity was a lowered a bit, which allows arrows to be seen through them.
image

Report limit for storing to the server

Especially in the case of clang-tidy, we have observed some unreasonable number of reports by certain checkers. In some instances, we saw hundreds of thousands (!) of reports reported by some individual checkers, and its more than unlikely that anyone will inspect these reports individually (you probably got the message about using parantheses around macros after the first 15 000 reports).

We found that these checkers were usually enabled by mistake, and put unnecessary strain both on the storage of results to the server, and on the database once stored. Moving forward, CodeChecker servers will reject stores of runs that have more than 500 000 reports. This limit is a default value that you can change or even set to unlimited. Our intent is not to discourage legitemately huge stores, only those that are whose size is likely this large by mistake.

When creating a new product called My product at endpoint myproduct, you can set the report limit from the CLI with the following invocation:

CodeChecker cmd products add -n "My product" --report-limit 1000000 myproduct

For an already existing product, you can change the limit by clicking the pencil at the products page:
image
image

❗ Backward incompatible changes

Clang warnings must be referred to as clang-diagnostic-<warning-name> (instead of W<warning-name>)

After analysis, reports from clang compiler warnings (well before this release) were attributed to clang-diagnostic-<warning-name> instead of -W<warning-name> that is usually given to the compiler to enable <warning-name>. We did this so that warnings from different compilers could be differentiated. However, you could only enable <warning-name> as a checker by referencing it as W<warning-name>. In this release, we fixed this inconsistency.

Moving forward, you can enable a clang warning with the following syntax:

CodeChecker analyzer -e clang-diagnostic-deprecated-copy

instead of

CodeChecker analyze -e Wdeprecated-copy

which is no longer supported. You can list all clang-diagnostics with the CodeChecker checkers command.

--all and --details were deprecated for CodeChecker analyzers

With the introduction of the GCC Static Analyzer, we think that the --all flag was more confusing than useful -- its a reasonable assumption that any system will have a version of GCC available. The default behaviour prior to this release was to only list analyzers that were available for analysis: the binary was found, met the version criteria, and was functional. The --all flag listed all supported analyzers, even if they were not available. We changed the default behaviour to always list all supported checkers, and --all is ignored. We emit helpful warnings for analyzers that CodeChecker supports, but can't analyze with.

--details could be used to print additional version information of the binary, but we didn't feel like it provided any value above what the non-detailed query gave, and it was impossible to pretty print. After this release, this flag will also be ignored.

πŸ› Analyzer improvements

πŸ’» CLI/Server improvements

🌳 Environment

πŸ“– Documentation updates

πŸ”¨ Other

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.22.2...v6.23.0-rc1

codechecker - v6.22.2

Published by bruntib over 1 year ago

🌟 Highlights

Support for Ubuntu 22.04

CodeChecker failed to build on Ubuntu 22.04 in its previous release because of two issues: some of our dependencies broke with the release of python3.9, and we didn't support GNU Make-s new way of creating build jobs. These issues are all fixed now, so CodeChecker should work with the latest version of python and GNU Make!

πŸ› Analyzer improvements

  • Ignore some gcc flags (-fno-lifetime-dse#3913, -Wno-error, -fprofile #3937, #3941)
    • We do these kinds of patches reguarly when a gcc flag is not supported by our main analyzer, clang.
  • Disable cppcheck-preprocessorErrorDirective explicitly #3902
    • Cppcheck analyzer results compilation errors due to less granular configuration of the build environment. This results too many false-positive reports, so this checker is disabled by default.
  • Fix exception in Spotbugs report-converter (report-converter crashed when SourceLine has no source_path attribute) #3917
  • Fix crash when an assembler command is analyzed #3914
  • Logger-related changes
    • Recognize and capture linux_spawn alongside exec* calls in the logger #3930
    • Use absolute path to logger.so in LD_PRELOAD #3919
      • CodeChecker logger is using the LD_PRELOAD environment variable where ldlogger.so was set with a relative path. Due to the relative path LD_LIBRARY_PATH has to be set too. However, this latter environment variable is overridden by the build systems many times. So CodeChecker uses an absolute path in LD_PRELOAD and eliminates the usage of LD_LIBRARY_PATH.
  • Adapt to new clang-tidy checker options format. #3934
  • Enable multiple inputs for report-converter #3897
  • Introduce sanitizer checker names #3904
  • Exclude dynamic parts of checker message in hash generation #3927
  • Analysis shouldn't fail on non-existing directory #3943
  • report-converter: Parse all leaks reported by LeakSanitizer #3750

πŸ’» CLI/Server improvements

  • [fix][server] Fix webapp crash when using component filter #3887
  • [bugfix] Fix the zombie process issue #3895
  • 6.22.1 highlights #3888
  • [GUI] Add a tooltip about Diff #3890
  • [cmd] Warning message on no run delete. #3915
  • [GUI] Pop the call stack when the message starts with "Returning;" #3948
  • Fix local local diff src code suppression #3944

🌳 Environment

  • [test] Get rid of mockldap #3894
  • [req] Upgrade lxml to 4.9.2 #3896
  • [fix] One more attempt to fix gui tests #3911
  • Bump GitPython version #3841
  • [ci] Remove pypi actions from pullrequest and push events. #3912
  • Update Snapstore publish action #3891
  • [fix] Fix newly surfaced gui test error during cleanup plan testing #3920
  • [test][NFC] Change from nose to pytest (analyzer library) #3926
  • [test][NFC] Change from nose to pytest (tools library) #3931
  • [test][NFC] Change from nose to pytest (web library) #3932
  • [test][NFC] Remove every remaining trace of nose in favor of pytest #3933
  • [env] Upgrade PyYAML to version 6.0 #3942
  • [test] Allow additional pytest args to be given through make targets #3935

πŸ“– Documentation updates

  • [config] Additional clang-diagnostic documentations #3922

πŸ”¨ Other

  • [doc] Make every second release highlight green #3882
  • [version] Bump up to version 6.23.0 #3893
  • Makefile: package_gerrit_skiplist should depend on package_dir_structure #3901
  • [NFC] Factor args out of the diff logic for unit tests #3863
  • [refactor] Reducing analyzer config handler #3824
  • [test] Add missing tests for cmdline diffing, and display a bug for tag diffs #3868
  • Error message: Add a missing space #3953
  • Fix a Pylint false positive with python3.9 or later #3925

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.22.0...v6.22.2

codechecker - v6.22.1

Published by vodorok over 1 year ago

🌟 Highlights

[fix][server] Fix webapp crash when using component filter

CodeChecker webapp was crashing when using the component filter, which has been fixed in this release. #3887

[doc] Make every second release highlight green #3882

codechecker - v6.22.0

Published by bruntib over 1 year ago

🌟 Highlights

Further enhancements to speed up the store procedure

After another round of optimizations, CodeChecker store is ~2 times faster than in v6.21.0. Combined with the previous release, storing may be as much as 4 times faster than v6.20.0., with larger result directories seeing a greater degree of improvement.

This should allow those that use CodeChecker in CI loops to see fewer timeouts due to long storages, or lower timeout tresholds significantly.

Multiroot analysis

CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.

If your project is structured such that multiple folders act as their own root folder (hence the name multiroot), CodeChecker should be able to support that out of the box. clangd and clang-tidy already works this way:Β https://clangd.llvm.org/installation.html#compile_commandsjson

This feature also affects the CodeChecker Visual Studio Code plugin, where analysis will be done on multiroot projects as well Ericsson/CodecheckerVSCodePlugin#113.

Previously the input of analysis must have been a compilation database JSON file. This PR supports the following new CodeChecker analyze invocations, as long as a corresponding compilation database file is found:

# Analyze a single file.
CodeChecker analyze analyze.cpp -o reports

# Analyze all source files under a directory.
CodeChecker analyze my_project -o reports

Support report annotations and add dynamic analyzer related annotations

CodeChecker is now able to parse additional fields from plist files especially relevant to dynamic analyses.
https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/user_guide.md#dynamic-analysis-results

<dict>
  <key>diagnostics</key>
  <array>
    <dict>
      <key>category</key>
      <string>unknown</string>
      <key>check_name</key>
      <string>UndefinedBehaviorSanitizer</string>
      <key>report-annotation</key>
      <dict>
        <key>testcase</key>
        <string>yhegalkoei</string>
        <key>timestamp</key>
        <string>1970-04-26T17:27:55</string>
      </dict>
      <key>path</key>
      <array>
        ...
      </array>
    </dict>

image

Unlike for static analyzers, the time of the detection can be a crucial piece of information, as a report may be a result of another preceding report. Users that record the timestamp of the detection and store it in CodeChecker under the new 'Timestamp' field will be able to sort reports by it. CodeChecker now also supports the 'Testsuite' field.

You can read more about this feature in its PR #3849, and the relevant docs PR #3871.

❗ Backward incompatible changes

  • [cmd] Remove some deprecated flags.Β #3823
    • CodeChecker checkers --only-enabled DEPRECATED. Show only the enabled checkers. use CodeChecker checkers --details to list the checker status (enabled/disabled)
    • CodeChecker checkers --only-disabled. use CodeChecker checkers --details to list the checker status.
    • CodeChecker cmd diff -s, --suppressed DEPRECATED. Lists the suppressed reports.
      Use the Β --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag to filter the results.
    • CodeChecker cmd diff --filter FILTER Β  Β  Β  DEPRECATED. Filter diff results.
      Use Β the --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag
      Β  Β  Β  Β  Β  Β  Β  Β  Β  Β  Β  Β  to filter the results.
    • CodeChecker cmd sum Β --disable-uniqueΒ  DEPRECATED. Use the '--uniqueing' option to get uniqueing results.
  • [cmd] Remove the CodeChecker analyzer --tidy-config flagΒ #3822
    • CodeChecker analyze [--tidy-config TIDY_CONFIG] DEPRECATED and removed.
      Use the CodeChecker analyzers --analyzer-config clang-tidy to list the analyzer options
      Use e.g. CodeChecker analyze --analyzer-config clang-tidy:WarningsAsErrors=true to set a parameter.
      Alternatively you can use .clang-tidy config files too
  • [analyzer] Promote the missing checker warning to an error #3820
    • If a checker name given to --enable/--disable is not recognized (usually because of a typo) by any of the analyzers, CodeChecker now emits an error. While we strongly advise you against it, you can demote this error to a warning, restoring the behaviour similar to previous releases, with the flag --no-missing-checker-error (#3866).

πŸ› Analyzer improvements

  • ignore -fno-keep-inline-dllexport gcc option #3813
  • Fix error using Clang option '-stdlib=libc++' #3808
  • [fix] Fix a condition about checkers being compiler warnings #3838
  • [analyzer] Promote the missing checker warning to an error #3820
  • [fix] Pass arch flag correctly #3854
  • [fix] Treat clang-diagnostic-* checkers as compiler flags #3874
  • Forward --driver-mode compiler flag to the analyzer #3867

πŸ” Profile changes

  • bugprone-standalone-empty: default, extreme, sensitive
  • bugprone-unsafe-functions: extreme, security, sensitive
  • cert-msc24-c: alias of bugprone-unsafe-functions
  • cert-msc33-c: alias of bugprone-unsafe-functions
  • cppcoreguidelines-avoid-capture-default-when-capturing-this: extreme, sensitive
  • cppcoreguidelines-avoid-capturing-lambda-coroutines: default, extreme, sensitive
  • cppcoreguidelines-avoid-reference-coroutine-parameters: default, extreme, sensitive
  • cppcoreguidelines-rvalue-reference-param-not-moved: extreme, sensitive
  • llvmlibc-inline-function-decl: style
  • misc-use-anonymous-namespace: default, extreme, sensitive
  • Document the new checker misc-use-anonymous-namespace #3803
  • [cfg] Assign new check profiles for 6.22RC1 #3861

πŸ’» CLI/Server improvements

  • Further enhancements to speed up the store procedure #3796
  • Multiroot analysis #3815
    CodeChecker now supports an analysis mode where for each source file,
    it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.
    clangd and clang-tidy works this way:Β https://clangd.llvm.org/installation.html
    This feature allows the analaysis of multi-root projects also in the vscode plugin Ericsson/CodecheckerVSCodePlugin#113
    Previously the input of analysis was a compilation database JSON file. The of this PR is to support the following analysis invocations:
# Analyze one source file.
CodeChecker analyze main.c -o reports

# analyze all source files under a directory.
CodeChecker analyze my_project -o reports
  • Support report annotations and add dynamic analyzer related annotations #3849
  • Required format for --checker-config #3817
    "CodeChecker analyze" command has a --checker-config flag. The parameter this flag should be in the following format:
    <analyzer>:<checker>:<option>=<value>. This format is checked and an error message is emitted if the format is not met.
  • [cmd] Gracefully exit instead of crashing when cmd diff is missing a param #3801
  • cppcheck: allow spaces in path #3812
  • [cmd] Fix a crash with CodeChecker cmd diff --unique on #3816
  • [bugfix] Don't convert cppcheck parameters to absolute path #3821
  • [cmd] Deprecate --warnings flag #3802
  • [gui] Fix for filter product in gui test #3469
  • [web] Fix stale permission caching #3840

🌳 Environment

  • [req] Upgrade lxml to 4.9.1 #3799
  • Fix three bugs and a couple of style issues #3804
  • Updates to setup.py/PyPI configuration #3819
  • [test] Upgrade to Python 3.8 in GitHub Actions #3859

πŸ“– Documentation updates

  • README.md: add python3-setuptools dependency #3729
  • [docs] Reword what labels, guidelines, checkers mean, and their enabling #3845

πŸ”¨ Other

  • [version] Bump version to 6.22.0 #3787
  • [repo] Add vim sessions file to gitignore #3792
  • [docs] Fix facebook-infer links #3834
  • [tests] Change subprocess.call to subprocess.Popen #3837
  • Change dev/test servers port from default #3833
codechecker - v6.22.0-rc1

Published by bruntib over 1 year ago

🌟 Highlights

Further enhancements to speed up the store procedure

After another round of optimizations, CodeChecker store is ~2 times faster than in v6.21.0. Combined with the previous release, storing may be as much as 4 times faster than v6.20.0., with larger result directories seeing a greater degree of improvement.

This should allow those that use CodeChecker in CI loops to see fewer timeouts due to long storages, or lower timeout tresholds significantly.

Multiroot analysis

CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.

If your project is structured such that multiple folders act as their own root folder (hence the name multiroot), CodeChecker should be able to support that out of the box. clangd and clang-tidy already works this way:Β https://clangd.llvm.org/installation.html#compile_commandsjson

This feature also affects the CodeChecker Visual Studio Code plugin, where analysis will be done on multiroot projects as well Ericsson/CodecheckerVSCodePlugin#113.

Previously the input of analysis must have been a compilation database JSON file. This PR supports the following new CodeChecker analyze invocations, as long as a corresponding compilation database file is found:

# Analyze a single file.
CodeChecker analyze analyze.cpp -o reports

# Analyze all source files under a directory.
CodeChecker analyze my_project -o reports

Support report annotations and add dynamic analyzer related annotations

CodeChecker is now able to parse additional fields from plist files especially relevant to dynamic analyses.

<key>diagnostics</key>
<array>
<dict>
Β Β  <key>category</key>
Β Β  <string>Memory error</string>
Β Β  ...
Β Β  <dict>
Β Β Β Β  <key>timestamp</key>
Β Β Β Β  <string>2000-01-01 10:00</string>
Β Β Β Β  <key>testsuite</key>
Β Β Β Β  <string>TS-1</key>
Β Β Β Β  ...
Β Β  </dict>
</dict>
</array>

image

Unlike for static analyzers, the time of the detection can be a crucial piece of information, as a report may be a result of another preceding report. Users that record the timestamp of the detection and store it in CodeChecker under the new 'Timestamp' field will be able to sort reports by it. CodeChecker now also supports the 'Testsuite' field.

You can read more about this feature in its PR: #3849.

❗ Backward incompatible changes

  • [cmd] Remove some deprecated flags. #3823
  • [cmd] Remove --tidy-config flag #3822
  • [cmd] Remove some deprecated flags.Β #3823
    • CodeChecker checkers --only-enabled DEPRECATED. Show only the enabled checkers. use CodeChecker checkers --details to list the checker status (enabled/disabled)
    • CodeChecker checkers --only-disabled. use CodeChecker checkers --details to list the checker status.
    • CodeChecker cmd diff -s, --suppressed DEPRECATED. Lists the suppressed reports.
      Use the Β --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag to filter the results.
    • CodeChecker cmd diff --filter FILTER Β  Β  Β  DEPRECATED. Filter diff results.
      Use Β the --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag
      Β  Β  Β  Β  Β  Β  Β  Β  Β  Β  Β  Β  to filter the results.
    • CodeChecker cmd sum Β --disable-uniqueΒ  DEPRECATED. Use the '--uniqueing' option to get uniqueing results.
  • [cmd] Remove the CodeChecker analyzer --tidy-config flagΒ #3822
    • CodeChecker analyze [--tidy-config TIDY_CONFIG] DEPRECATED and removed.
      Use the CodeChecker analyzers --analyzer-config clang-tidy to list the analyzer options
      Use e.g. CodeChecker analyze --analyzer-config clang-tidy:WarningsAsErrors=true to set a parameter.
      Alternatively you can use .clang-tidy config files too

πŸ› Analyzer improvements

  • ignore -fno-keep-inline-dllexport gcc option #3813
  • Fix error using Clang option '-stdlib=libc++' #3808
  • [fix] Fix a condition about checkers being compiler warnings #3838
  • [analyzer] Promote the missing checker warning to an error #3820
  • [fix] Pass arch flag correctly #3854

πŸ” Profile changes

  • bugprone-standalone-empty: default, extreme, sensitive
  • bugprone-unsafe-functions: extreme, security, sensitive
  • cert-msc24-c: alias of bugprone-unsafe-functions
  • cert-msc33-c: alias of bugprone-unsafe-functions
  • cppcoreguidelines-avoid-capture-default-when-capturing-this: extreme, sensitive
  • cppcoreguidelines-avoid-capturing-lambda-coroutines: default, extreme, sensitive
  • cppcoreguidelines-avoid-reference-coroutine-parameters: default, extreme, sensitive
  • cppcoreguidelines-rvalue-reference-param-not-moved: extreme, sensitive
  • llvmlibc-inline-function-decl: style
  • misc-use-anonymous-namespace: default, extreme, sensitive
  • Document the new checker misc-use-anonymous-namespace #3803
  • [cfg] Assign new check profiles for 6.22RC1 #3861

πŸ’» CLI/Server improvements

  • Further enhancements to speed up the store procedure #3796
  • Multiroot analysis #3815
    CodeChecker now supports an analysis mode where for each source file,
    it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.
    clangd and clang-tidy works this way:Β https://clangd.llvm.org/installation.html
    This feature allows the analaysis of multi-root projects also in the vscode plugin Ericsson/CodecheckerVSCodePlugin#113
    Previously the input of analysis was a compilation database JSON file. The of this PR is to support the following analysis invocations:
# Analyze one source file.
CodeChecker analyze main.c -o reports

# analyze all source files under a directory.
CodeChecker analyze my_project -o reports
  • Support report annotations and add dynamic analyzer related annotations #3849
  • Required format for --checker-config #3817
    "CodeChecker analyze" command has a --checker-config flag. The parameter this flag should be in the following format:
    <analyzer>:<checker>:<option>=<value>. This format is checked and an error message is emitted if the format is not met.
  • [cmd] Gracefully exit instead of crashing when cmd diff is missing a param #3801
  • cppcheck: allow spaces in path #3812
  • [cmd] Fix a crash with CodeChecker cmd diff --unique on #3816
  • [bugfix] Don't convert cppcheck parameters to absolute path #3821
  • [cmd] Deprecate --warnings flag #3802
  • [gui] Fix for filter product in gui test #3469
  • [web] Fix stale permission caching #3840

🌳 Environment

  • [req] Upgrade lxml to 4.9.1 #3799
  • Fix three bugs and a couple of style issues #3804
  • Updates to setup.py/PyPI configuration #3819
  • [test] Upgrade to Python 3.8 in GitHub Actions #3859

πŸ“– Documentation updates

  • README.md: add python3-setuptools dependency #3729
  • [docs] Reword what labels, guidelines, checkers mean, and their enabling #3845

πŸ”¨ Other

  • [version] Bump version to 6.22.0 #3787
  • [repo] Add vim sessions file to gitignore #3792
  • [docs] Fix facebook-infer links #3834
  • [tests] Change subprocess.call to subprocess.Popen #3837
  • Change dev/test servers port from default #3833
codechecker - v6.21.0

Published by Szelethus almost 2 years ago

πŸ› Analyzer improvements

  • [report-converter] Support Roslynator (#3765)
    The Roslynator project contains several analyzers for C# built on top of Microsoft Roslyn. CodeChecker now supports the visualization of these C# anlaysis results. It also provides a .NET tool for running Roslyn code analysis from the command line. It is not limited to Microsoft and Roslynator analyzers, it supports any Roslyn anaylzer. It can also report MSBuild compiler diagnostics.

πŸ’» CLI/Server improvements

  • Make CodeChecker store about twice as fast (#3777)
    This small change from a regex to a string search is expected to shave off the time it takes to run a CodeChecker store command by as much as 50%!
  • [fix] Speed up resolved diffing (#3771)
    This fixes the everlasting diff runtime, when the report count is large (~60000) and the ReviewStatusRule count is also substantial.

πŸ” Profile changes

  • [analyzer][clang][clang-tidy] Assign new check profiles (#3769)
    • bugprone-assignment-in-if-condition: extreme (no longer in the sensitive and default profiles)
    • bugprone-signal-handler: default (new), security (new), sensitive, extreme
    • bugprone-suspicious-realloc-usage (new): default, sensitive, extreme
    • bugprone-stringview-nullptr (new): default, sensitive, extreme
    • bugprone-unchecked-optional-access (new): extreme
    • cert-sig30-c: removed from all profiles (as it is an alias to bugprone-signal-handler)
    • cppcoreguidelines-avoid-const-or-ref-data-members: sensitive (new), extreme
    • cppcoreguidelines-avoid-do-while (new): extreme
    • misc-const-correctness: removed from all profiles (it was too extreme even for extreme)
    • misc-misleading-bidirectional: default, security (new), sensitive, extreme
    • misc-misleading-identifier" (new): default, security, sensitive, extreme
    • alpha.unix.Errno: sensitive (new), extreme
    • core.uninitialized.NewArraySize (new): default, sensitive, extreme
    • alpha.unix.cstring.UninitializedRead (new): extreme

πŸ“– Documentation updates

  • [analyzer][doc] Mention that Z3 as the constraint solver is highly unstable (#3772)
    While LLVM supports the usage of Z3, that doesn't mean the same for the Clang Static Analyzer. It is a highly experimental feature that may or may not be generally available in a stable way, which is now better explained in the docs and in --help messages.
  • [doc] Refurbish several parts of the README (#3763)
    • Self-advertise the CodeChecker GitHub CI action!
    • Added the PLDI'2020 talk about CodeChecker to the papers section
    • Moved information about Python 2 lower as it is no longer really an important thing in today's world
    • Figure out the new LLVM monorepo commit for the referenced SVN commit that introduced Bug hashes to Clang SA

πŸ”¨ Other improvements/fixes

  • Quick fix for cppcheck environment (#3744)
    The cppcheck needs the original environment when invoked. This quick fix restores it at analyzer invocation.
  • [bugfix] Old client has different behavior with new server (#3746, #3747)
    So far, we have supported the communication in between a CodeChecker server and almost all older CodeChecker clients versions. For CodeChecker servers on version 6.20.0, clients issueing CodeChecker cmd diff to the server got an incorrect results, which this PR fixes.
  • [bugfix] Don't update review status date (#3749)
    When a review status is set in the GUI then a new entry is inserted to review_statuses table. Every time the same report is stored, its review status date used to be updated, which was a bug, since the storage date is NOT the same as the review status date.
  • Document 'cppcoreguidelines-avoid-const-or-ref-data-members' (#3734)
  • Document 'bugprone-suspicious-realloc-usage' (#3755)
  • Escape &, <, > from the source C-files to HTML-output (#3748)
    This fixed a bug where CodeChecker parse --export html produced an invalid HTMl file.
  • [feat] Comment lines in skipfile (#3768)
    Hashmark (#) character can be used for commenting lines out in skipfiles, and can now be used for CodeCheckers skip files!
  • Issue a warning about this release being only an RC (#3780)
    CodeChecker version now warns users about the current release being only a release candidate. Please create a bug report if you find anything wrong, so we can fix it for the proper release!
  • [fix] Ignore files that .gitignore ignores (#3785)
  • Set "anywhere on path" in URL (#3783)
    In the previous release, on the gui, when the "anywhere on path" filter was set, it wasn't saved in the URL. It is now!
  • [bugfix] Don't crash with intercept-build based compilation database (#3685)
    CodeChecker was only really compatible with compilation databases where "command" was used instead of "arguments" as the actual command to execute. This is now fixed.
  • [db] Garbage collection of analysis_info timeout (#3775)
    The garbage collection of analysis_info table has been restructured because the original query exceeded a 2min timeout.
codechecker - v6.21.0-rc1

Published by Szelethus almost 2 years ago

πŸ› Analyzer improvements

  • [report-converter] Support Roslynator (#3765)
    The Roslynator project contains several analyzers for C# built on top of Microsoft Roslyn. CodeChecker now supports the visualization of these C# anlaysis results. It also provides a .NET tool for running Roslyn code analysis from the command line. It is not limited to Microsoft and Roslynator analyzers, it supports any Roslyn anaylzer. It can also report MSBuild compiler diagnostics.

πŸ’» CLI/Server improvements

  • Make CodeChecker store about twice as fast (#3777)
    This small change from a regex to a string search is expected to shave off the time it takes to run a CodeChecker store command by as much as 50%!
  • [fix] Speed up resolved diffing (#3771)
    This fixes the everlasting diff runtime, when the report count is large (~60000) and the ReviewStatusRule count is also substantial.

πŸ” Profile changes

  • [analyzer][clang][clang-tidy] Assign new check profiles (#3769)
    • bugprone-assignment-in-if-condition: extreme (no longer in the sensitive and default profiles)
    • bugprone-signal-handler: default (new), security (new), sensitive, extreme
    • bugprone-suspicious-realloc-usage (new): default, sensitive, extreme
    • bugprone-stringview-nullptr (new): default, sensitive, extreme
    • bugprone-unchecked-optional-access (new): extreme
    • cert-sig30-c: removed from all profiles (as it is an alias to bugprone-signal-handler)
    • cppcoreguidelines-avoid-const-or-ref-data-members: sensitive (new), extreme
    • cppcoreguidelines-avoid-do-while (new): extreme
    • misc-const-correctness: removed from all profiles (it was too extreme even for extreme)
    • misc-misleading-bidirectional: default, security (new), sensitive, extreme
    • misc-misleading-identifier" (new): default, security, sensitive, extreme
    • alpha.unix.Errno: sensitive (new), extreme
    • core.uninitialized.NewArraySize (new): default, sensitive, extreme
    • alpha.unix.cstring.UninitializedRead (new): extreme

πŸ“– Documentation updates

  • [analyzer][doc] Mention that Z3 as the constraint solver is highly unstable (#3772)
    While LLVM supports the usage of Z3, that doesn't mean the same for the Clang Static Analyzer. It is a highly experimental feature that may or may not be generally available in a stable way, which is now better explained in the docs and in --help messages.
  • [doc] Refurbish several parts of the README (#3763)
    • Self-advertise the CodeChecker GitHub CI action!
    • Added the PLDI'2020 talk about CodeChecker to the papers section
    • Moved information about Python 2 lower as it is no longer really an important thing in today's world
    • Figure out the new LLVM monorepo commit for the referenced SVN commit that introduced Bug hashes to Clang SA

πŸ”¨ Other improvements/fixes

  • Quick fix for cppcheck environment (#3744)
    The cppcheck needs the original environment when invoked. This quick fix restores it at analyzer invocation.
  • [bugfix] Old client has different behavior with new server (#3746, #3747)
    So far, we have supported the communication in between a CodeChecker server and almost all older CodeChecker clients versions. For CodeChecker servers on version 6.20.0, clients issueing CodeChecker cmd diff to the server got an incorrect results, which this PR fixes.
  • [bugfix] Don't update review status date (#3749)
    When a review status is set in the GUI then a new entry is inserted to review_statuses table. Every time the same report is stored, its review status date used to be updated, which was a bug, since the storage date is NOT the same as the review status date.
  • Document 'cppcoreguidelines-avoid-const-or-ref-data-members' (#3734)
  • Document 'bugprone-suspicious-realloc-usage' (#3755)
  • Escape &, <, > from the source C-files to HTML-output (#3748)
    This fixed a bug where CodeChecker parse --export html produced an invalid HTMl file.
  • [feat] Comment lines in skipfile (#3768)
    Hashmark (#) character can be used for commenting lines out in skipfiles, and can now be used for CodeCheckers skip files!
  • Issue a warning about this release being only an RC (#3780)
    CodeChecker version now warns users about the current release being only a release candidate. Please create a bug report if you find anything wrong, so we can fix it for the proper release!
codechecker - v6.20.0

Published by Szelethus about 2 years ago

πŸ› Analyzer improvements

  • Cppcheck support (#3680)
    Cppcheck is a static analyzer tool which is now driven by CodeChecker. Similar to Clang analysis, Cppcheck also can be configured and executed by CodeChecker. For configuration and execution see Configure Clang Static Analyzer and checkers Guide
    Please note that you need to add cppcheck to your PATH (env var) before using it with CodeChecker.
    WARNING: The analysis results depend on which cppcheck version you configured
  • Merge, and don't override when multiple --analyzer-configs are specified (#3655)
    When multiple --analyzer-config options are given to CodeChecker then only the last one was taken into account. From this version both are handled: --analyzer-config <option1> --analyzer-config <option2>. The old format is also still available: --analyzer-config <option1> <option2>. This is especially useful when you specify the base analysis parameters in the codechecker_config file and you want to override certain parameters in the command line.

πŸ’» CLI/Server improvements

  • Refactored Review Status Handling

    • Changed handling of in-code suppressions (e.g. //codechecker_suppress [ all ] This is a false warning) (#3580)
      Review status is now connected to the individual reports instead of the (all reports) with the same report hash.
      This makes it possible to mark a bug as a false positive on one branch (and store it in a run) and mark it as intentional on another branch.
      Warning: The different handling of such rare cases can cause a change in the checker statistics.

    • Changed handing of suppressions in the GUI (#3646)
      If you handle suppressions in the GUI instead of the source code, the suppressions remain effective for all reports identified by the same bug hash. These are called "suppression rules". You can list and manage such rules in the "Review Status Rules" window:
      image

    • Changed visualization of false positive and intentional reports in the Oustanding Reports Statistics
      Outstanding report statistics excluded false positive reports from the graphs even for time periods, when these reports were active. After this change, the reports will be counted in the outstanding reports graphs until the time they were classified as false positive. So you will be able to see a decreasing trend in the outstanding reports graph, after you classify reports false positive.

image

  • Find reports by file anywhere on bugpath (#3717)
    In the GUI the set of reports can be filtered by filename or source
    component. However, these filters are concerning the last bug point,
    i.e. one can list the set of reports ending in a specific file.

A new filter option has been introduced which returns all reports where the file is involved at any part of the bug path.
image

  • Fix storage of headers with same name in different paths (#3706)
    When a header file occurred in multiple directories with the same name (for example multiple standard libraries at different locations are involved in the project) then only one of them was stored to the server. This has been fixed, so all instances are stored now.
  • --trim-path-prefix flag may now contain joker characters (#3674)
    --trim-path-prefix flag helps to remove a given prefix of each file path during report storage. This prefix may now contain joker characters too. The longest matching prefix will be eliminated from each file path.
  • Don't ignore compiler warnings, even if clangtidy:take-config-from-directory=true is specified (#3698)
    clangtidy:take-config-from-directory is an analyzer config that makes ClangTidy get its arguments from a .clang-tidy file, and only from that
    file. What this implies, is that all other options on the command line for ClangTidy will be ignored. The problem was that this also ignores compiler warnings, so it has been fixed.
  • Garbage collection enhancement in "files" table (#3710)
    When a run storage and removal occurs concurrently with both referring the same file may result a foreign key constraint error on server side and storage fails. This has been fixed.
  • Import the suppressions per report (#3693)
    CodeChecker cmd suppress run_name -i <import_file> will only import suppressions for the run indicated by run_name, and not all reports in all runs.
  • Fix remote diff behavior (#369)
    When two runs are compared then reports should be considered as closed even if their review status is false positive or intentional.
  • Speed up run deletion (#3700)
    Sometimes run deletion is a slow operation due to cascades and such. So runs are deleted in separate transactions in order to avoid potential statement timeouts in a DBMS.
  • Get failed files with CodeChecker cmd runs --details (#3669)
    This command now lists the files that are failed to analyze.
  • Fix storage of context-insensitive ClangSA reports (#3662)
    In some cases ClangSA produced plists where an included file had a context-insensitive bug report at the exact same "file:row:col:checker", but different bug hash. Only one instance of these reports were stored before this release.
  • *Fix exceptions during blame information storage (#3647)
    When the HEAD file exists in the .git directory but the user who is running the CodeChecker store command doesn't have permission to this file then the storage failed.
  • Fix uniqueing compilation commands (#3635)

πŸ” Profile changes

  • The following checkers are added to the following profiles (#3714)
    • alpha.unix.Errno: extreme
    • bugprone-assignment-in-if-condition: default, sensitive, extreme
    • misc-const-correctness: extreme
    • misc-confusable-identifiers: default, sensitive, extreme
    • modernize-macro-to-enum: extreme
  • All cppcheck checker from the error and warning category have been added to the default profile

πŸ“– Documentation updates

  • Refactoring the analyzer user guide (#3694)
  • Checker documentation URLs have changed in ClangTidy (#3715)
  • Fix some links in README.md (#3512)
  • Enhancement of the user guides related to the run comparison feature (#3696)
  • Fix some CLI usage examples in the docs (#3666)
  • Add documentation to the python thrift client example (#3652)

πŸ”¨ Other improvements/fixes

  • Fix ctu extdef mapping file with space problem (#3653)
    CodeChecker uses clang-extdef-mapping utility during CTU analysis. This collects for each function definition in which file they have been defined. The format of this mapping file changed, and this change needs to be adapted in CodeChecker.
  • Adding dev_package make target (#3682)
    This make target results symlinks in the build directory to the source files. This way it is not necessary to rebuild CodeCompass for each source code change during the development. Known issue: CC_LIB_DIR needs to be set to .../build/CodeChecker/lib/python3 directory.
  • Fix install of PPA clang-tidy in config coverage job (#3678)
    Fixing a broken installment in GitHub Actions.
  • Add a job that checks coverage of checker labelling (#3367)
  • Minor improve some debug logs (#3659)
    There was a debug log which could not be used for debugging, because the arguments containing whitespaces were not quoted properly.
  • Fix the incorrect run count on the product page (#3733)
    Due to a bug in our caching strategy, the number of runs in a product displayed on the product page were sometimes higher than the actual count (which was corrently displayed in the bottom left of the run page). This occurred when multiple runs were deleted at once.
codechecker - v6.20.0-rc1

Published by bruntib about 2 years ago

πŸ› Analyzer improvements

  • Cppcheck support (#3680)
    Cppcheck is a static analyzer tool which is now driven by CodeChecker. Similar to Clang analysis, Cppcheck also can be configured and executed by CodeChecker. For configuration and execution see Configure Clang Static Analyzer and checkers Guide
    Please note that you need to add cppcheck to your PATH (env var) before using it with CodeChecker.
    WARNING: The analysis results depend on which cppcheck version you configured
  • Merge, and don't override when multiple --analyzer-configs are specified (#3655)
    When multiple --analyzer-config options are given to CodeChecker then only the last one was taken into account. From this version both are handled: --analyzer-config <option1> --analyzer-config <option2>. The old format is also still available: --analyzer-config <option1> <option2>.

πŸ’» CLI/Server improvements

  • Refactored Review Status Handling

    • Changed handling of in-code suppressions (e.g. //codechecker_suppress [ all ] This is a false warning) (#3580)
      Review status is now connected to the individual reports instead of the (all reports) with the same report hash.
      This makes it possible to mark a bug as a false positive on one branch (and store it in a run) and mark it as intentional on another branch.
      Warning: The different handling of such rare cases can cause a change in the checker statistics.

    • Changed handing of suppressions in the GUI (#3646)
      If you handle suppressions in the GUI instead of the source code, the suppressions remain effective for all reports identified by the same bug hash. These are called "suppression rules". You can list and manage such rules in the "Review Status Rules" window:
      image

    • Changed visualization of false positive and intentional reports in the Oustanding Reports Statistics
      Outstanding report statistics excluded false positive reports from the graphs even for time periods, when these reports were active. After this change, the reports will be counted in the outstanding reports graphs until the time they were classified as false positive. So you will be able to see a decreasing trend in the outstanding reports graph, after you classify reports false positive.

image

  • Find reports by file anywhere on bugpath (#3717)
    In the GUI the set of reports can be filtered by filename or source
    component. However, these filters are concerning the last bug point,
    i.e. one can list the set of reports ending in a specific file.

A new filter option has been introduced which returns all reports where the file is involved at any part of the bug path.
image

  • Fix storage of headers with same name in different paths (#3706)
    When a header file occurred in multiple directories with the same name (for example multiple standard libraries at different locations are involved in the project) then only one of them was stored to the server. This has been fixed, so all instances are stored now.
  • --trim-path-prefix flag may now contain joker characters (#3674)
    --trim-path-prefix flag helps to remove a given prefix of each file path during report storage. This prefix may now contain joker characters too. The longest matching prefix will be eliminated from each file path.
  • Don't ignore compiler warnings, even if clangtidy:take-config-from-directory=true is specified (#3698)
    clangtidy:take-config-from-directory is an analyzer config that makes ClangTidy get its arguments from a .clang-tidy file, and only from that
    file. What this implies, is that all other options on the command line for ClangTidy will be ignored. The problem was that this also ignores compiler warnings, so it has been fixed.
  • Garbage collection enhancement in "files" table (#3710)
    When a run storage and removal occurs concurrently with both referring the same file may result a foreign key constraint error on server side and storage fails. This has been fixed.
  • Import the suppressions per report (#3693)
    CodeChecker cmd suppress run_name -i <import_file> will only import suppressions for the run indicated by run_name, and not all reports in all runs.
  • Fix remote diff behavior (#369)
    When two runs are compared then reports should be considered as closed even if their review status is false positive or intentional.
  • Speed up run deletion (#3700)
    Sometimes run deletion is a slow operation due to cascades and such. So runs are deleted in separate transactions in order to avoid potential statement timeouts in a DBMS.
  • Get failed files with CodeChecker cmd runs --details (#3669)
    This command now lists the files that are failed to analyze.
  • Fix storage of context-insensitive ClangSA reports (#3662)
    In some cases ClangSA produced plists where an included file had a context-insensitive bug report at the exact same "file:row:col:checker", but different bug hash. Only one instance of these reports were stored before this release.
  • *Fix exceptions during blame information storage (#3647)
    When the HEAD file exists in the .git directory but the user who is running the CodeChecker store command doesn't have permission to this file then the storage failed.
  • Fix uniqueing compilation commands (#3635)

πŸ” Profile changes

  • The following checkers are added to the following profiles (#3714)
    • alpha.unix.Errno: extreme
    • bugprone-assignment-in-if-condition: default, sensitive, extreme
    • misc-const-correctness: extreme
    • misc-confusable-identifiers: default, sensitive, extreme
    • modernize-macro-to-enum: extreme
  • All cppcheck checker from the error and warning category have been added to the default profile

πŸ“– Documentation updates

  • Refactoring the analyzer user guide (#3694)
  • Checker documentation URLs have changed in ClangTidy (#3715)
  • Fix some links in README.md (#3512)
  • Enhancement of the user guides related to the run comparison feature (#3696)
  • Fix some CLI usage examples in the docs (#3666)
  • Add documentation to the python thrift client example (#3652)

πŸ”¨ Other improvements/fixes

  • Fix ctu extdef mapping file with space problem (#3653)
    CodeChecker uses clang-extdef-mapping utility during CTU analysis. This collects for each function definition in which file they have been defined. The format of this mapping file changed, and this change needs to be adapted in CodeChecker.
  • Adding dev_package make target (#3682)
    This make target results symlinks in the build directory to the source files. This way it is not necessary to rebuild CodeCompass for each source code change during the development. Known issue: CC_LIB_DIR needs to be set to .../build/CodeChecker/lib/python3 directory.
  • Fix install of PPA clang-tidy in config coverage job (#3678)
    Fixing a broken installment in GitHub Actions.
  • Add a job that checks coverage of checker labelling (#3367)
  • Minor improve some debug logs (#3659)
    There was a debug log which could not be used for debugging, because the arguments containing whitespaces were not quoted properly.
codechecker - v6.19.1

Published by csordasmarton over 2 years ago

πŸ› Analyze fixes

  • Disappearing --stats flag (#3630, #3633)
    CodeChecker analyze command has --stats flag if there is at least one checker contating statisticsbased in its name. We are using the checker listing function to determine the list of checkers but by default it excludes modeling checkers. This default behavior should be overridden when checking if underlying Clang supports statistics based checkers.
  • Add -sdkroot option to COMPILE_FLAGS structure (#3631)
    A special downstream compiler duplicated the --sysroot option, and CodeChecker is not aware of the option chosen by this downstream
    compiler. Adding these entries enables CodeChecker to not drop or strip the arguments to this option when interpreted and driven from a
    compile_commands.json file.

πŸ”¨ Other fixes

  • Add pyyaml dependency to the web part to fix docker container (#3626)
  • Fix snap package build (#3624)

For more information check the milestone.

codechecker - v6.19.0

Published by csordasmarton over 2 years ago

❗❗❗ Backward incompatible changes ❗❗❗

  • Fix JSON format of CodeChecker version subcommand (#3558)
    The output of the CodeChecker version -o json command wasn't a valid JSON format. From this release CodeChecker will provide a valid JSON output for this command.
    For more information see the documentation.
  • Not allowing disabling modeling checkers in ClangSA (#3323)
    When a Clang Static Analyzer checker is disabled in CodeChecker, clang is invoked with the analyzer-disable-checker flag. This allows the user disabling core modeling checkers such as unix.DynamicMemoryModeling. This causes malfunctioning of depending checkers.
    From this release modeling and debug checkers (listed with clang -cc1 -analyzer-checker-help-developer) will not be listed and cannot be disabled through CodeChecker with the --enable and --disable flags.
    They can be enabled/disabled through the Clang Static Analyzer specific --saargs flag only.
  • Change minimum supported node version (#3581, #3586)
    The minimum supported node version to build CodeChecker after this release is >=14.17.0.

⭐ New features

  • Add print-steps option to CodeChecker cmd diff command (#3555)
    Without bug steps it is hard to understood the problem by a programmer. With this commit we will introduce a new option for the CodeChecker cmd diff command which can be used to print bug steps similar what we are doing at the CodeChecker parse command. This patch also solve the problem to print bug steps in HTML files for reports which comes from a CodeChecker server.
  • Support yaml CodeChecker configuration files (#3602)
    Multiple subcommands have a --config option which allow the configuration from an explicit configuration file. The parameters in the config file will be emplaced as command line arguments. Previously we supported only JSON format but the limitation of this format is that we can't add comments in this file for example why we enabled/disabled a checker, why an option is important etc.
    From this release we will also support YAML format: 
    analyzer:
  # Enable/disable checkers.
  - --enable=core.DivideZero
    For more information see the documentation.

πŸ’» CLI / Server improvements / fixes

  • Allow --file and skipfile option to be given together and analyze header file (#3616)
    The CodeChecker VSCodePlugin uses the --file parameter to analyze single files. Large projects load in their configuration using the --config parameter and if there is a -i skipfile given in the config, CodeChecker analyze call drops an error. From this release CodeChecker will allow -i skipfile and --file to be given together.
    Also if a header file is given to the --file option CodeChecker under the hood will try to figure out which source files are depends on the given header file and we will analyze these source files.
  • Allow escaping : in run names with \: (#3536)
    In certain scenarios, the run name might contain a : character that does NOT separate a tag from a name. Commands such as server and cmd results accept : as a literal in the name, but cmd diff previously cut it as the "run tag" separator.
  • Update allowed TLS versions (#3594)
    TLS1 and TLS1.1 were deprecated in RFC8996. From this release CodeChecker will enforce the newer TLS1.2 or TLS1.3.
  • Fix HTML generation for CodeChecker cmd diff command (#3600)
    If the diff command result contained reports from multiple source files (e.g.: a.cpp + b.cpp) the CodeChecker cmd diff command in HTML format generated HTML files for each source file but inserted the same list of reports in all of the HTML files. From this release CodeChecker will insert only those reports to a generated HTML file which are really related to that file.
  • Relative doc url to absolute file path (#3609)
    Convert relative doc_url value's to absolute file paths in the CodeChecker checkers output. This way other tools can open and view these documentation files easily.
  • Fix html generation for report directory without plists (#3610)
    Fix HTML generation for report directory which doesn't contain any analyzer result (plist) file.

πŸ” Profile changes

  • The following checkers are added to the following profiles (#3621)
    • bugprone-shared-ptr-array-mismatch: default, extreme, sensitive
    • misc-misleading-bidirectional: default, extreme, sensitive
    • readability-container-contains: default, extreme, sensitive
  • The following checkers are removed from the following profiles (#3618)
    • cppcoreguidelines-narrowing-conversions: extreme

πŸ› Analyze improvements / fixes

  • Proper handling of multi-target build (#3598)
  • Prefer ldlogger over intercept-build (#3605)
  • Quote command line segment using shlex (#3578)
  • Fix ldlogger escaping a bunch of characters (#3589)
  • Handle relative file paths in compilation database (#3587)
  • Avoid plist filenames being the same (#3588)
  • Proper exit code for CodeChecker check in case of exception (#3603).
  • Print info message about logger tool (#3573)
  • Add severity for readability-duplicate-include (#3592)

πŸ“– Documentation updates

  • Update documentation with multiple source code comments in the same line (#3597)
  • Highlight that user must be logged in before token generation (#3599)
  • List possible severity levels for JSON report format (#3604)
  • Extend documentation with implicitly disabled checkers under --enable-all (#3611)
  • Added link to basic database setup (#3541)
  • Fix grammatical and spelling errors in documentations (#3557)
  • Mention CodeChecker vscode extension in the docs (#3585)

πŸ”¨ Other improvements / fixes.

  • Thrift Python client example (#3575)
  • No rebuild on satisfied requirements (#3547)
  • Port LD-logger tests to python (#3153)
  • Fix compile warnings, missing return statements, etc. (#3590)
  • Fix the prepare debug scripts (#3614)
  • Upgrade python-ldap to 3.4.0 (#3550)
  • Upgrade lxml to 4.7.1 (#3553)
  • Upgrade npm packages (#3581, #3586)
  • Upgrade python version to 3.9.7 in docker image (#3591)

For more information check the milestone.

πŸŽ‰ CodeChecker VSCode plugin

We are proud to announce the official release of CodeChecker VSCode plugin.

🌟 Main features

  • Run CodeChecker analysis from the editor and see the results automatically.
  • Re-analyze the current file when saved.
  • Commands and build tasks for running CodeChecker as part of a build system.
  • Browse through the found reports and show the reproduction steps directly in the code.
  • Navigate between the reproduction steps.

πŸ’» Trying It Out

  1. Install CodeChecker version 6.18.2 or later and optionally add it to the PATH environment variable.
  2. Install CodeChecker extension from the Visual Studio Marketplace, from Open VSX or download manually from Downloads.
  3. Check the path to CodeChecker and set your preferred command-line arguments - see Configuring CodeChecker for more information.
  4. Open your project, and run an analysis, or browse through the found reports!
codechecker - v6.18.2

Published by csordasmarton almost 3 years ago

πŸ› Analyze fixes

  • Fix skipping reports (#3559).
    When a skip list was set, not only those reports were skipped that were included in the skipped files, but also those that had a bug path traversing a skipped file. This resulted in disappeared findings.
  • Fix static HTML report files (#3570).
    It was not always possible to navigate in the static HTML files, when the bug path traversed multiple files.
  • Remove bugprone-easily-swappable-parameters from sensitive profile (#3579).
    The checker warns for a bugprone coding style at function definitions. It is mostly useful for new code, where new functions are being defined. On the other hand, the checker required too many changes in legacy projects with non-matching coding style.

πŸ’» CLI / Server fixes

  • Fix suppressing bug on the server (#3563).
    When the report was in multiple lines, the source code comments in the code were not taken into consideration.
  • Fix source line / file for remote reports (#3568).
    An exception was thrown at CodeChecker cmd diff when path trimming was used in the stored results.
  • Fix storage of control points (#3576).
    Not all of the control points were stored to the server, because the plist format what the report converter produced and the plist parser expected was invalid. This way when an analyzer result file was stored to the server, bug path arrows were missing from the GUI.
  • Escape values for v-html attributes (#3549).
    We are using v-html attribute on the UI side to dinamically rendering comments and analyzer commands. This can be very dangerous because it can easily lead to XSS vulnerabilities. To solve this problem the server will always return the escaped version of these values which can be safely rendered on the UI.
  • Fix link in gerrit output (#3572).
    If CC_REPORT_URL is defined and gerrit format is used at CodeChecker parse or CodeChecker cmd diff commands, the output will contain the value of this environment variable wrapped inside quotes. When this output is sent to gerrit, it will convert URL links to HTML a tags. Unfortunately gerrit will think that the ending quote is part of the URL, so it will not remove it. This way the URL will be invalid.
  • Change permission of stored analysis failure files (#3574).
    Change permission of the stored analysis failure zip files so only the current user/group will have access to this file.

For more information check the milestone.

codechecker - v6.18.1

Published by csordasmarton almost 3 years ago

πŸ› Analyze improvements / fixes

  • Add label for file markdownlint (#3505).
  • Include cppcoreguidelines-virtual-class-destructor in profiles (#3532).
  • Add bugprone-unhandled-exception-at-new to default profile (#3531).

πŸ’» CLI / Server improvements / fixes

  • Add --file filter option for CodeChecker parse command (#3454).
  • Add checker documentation URLs to static HTML files (#3539).
  • Fix html output of CodeChecker parse (#3524, #3538).
  • Handle missing database file ids for file paths (#3508).
  • Simplify query for Other source component (#3534).
  • Improve cli store log (#3533).
  • More info logs at server for storage API request (#3509).
  • Use print_exc at store command (#3511).
  • Fix number of outstanding reports chart (#3544).
  • Fix whitespace in run name links (#3529).
  • Print broken pipe errors properly (#3516).

πŸ“– Documentation updates

  • Update the Usage Guide with failed zips (#3503).
  • Add taint analysis documentation (#3522).
  • Add new features section for 6.18.0 release (#3530).
  • Mention more details in the build instructions (#3517).
  • Documentation for parse JSON output (#3519).

πŸ”¨ Other improvements / fixes.

  • Fix building snap package (#3496).
  • Add static files to the pypi package (#3502).
  • Fix running docker container with existing volume (#3540).
  • New build argument (CC_REPO) for docker image (#3543).
  • Fix non-deterministic test in plist to html (#3545).
  • Upgrade lxml to 4.6.4 (#3528).

For more information check the milestone.

πŸ’‘ Hints

πŸ“€ 1. Installing CodeChecker

CodeChecker can be installed and used from multiple repositories:

For more information see the installation guide.

πŸ—„οΈ 2. Storage of multiple analyzer results

CodeChecker can be used as a generic tool for visualizing analyzer results of multiple static and dynamic analyzers:

For details see supported code analyzers documentation and the Report Converter Tool.

codechecker - v6.18.0

Published by csordasmarton almost 3 years ago

❗❗❗ Backward incompatible CLI change ❗❗❗

The JSON output of the CodeChecker parse command was not stable enough and the structure was very similar to the plist structure. Our plan is to support reading/parsing/storing of multiple analyzer output types not only plist but for example sarif format as well (http://docs.oasis-open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html). For this reason we changed the format of the JSON output of the CodeChecker parse and CodeChecker cmd diff command. The new format is described in #3519.

New features

Get access controls (#3476)

Create a new global role (PERMISSION_VIEW) which will be used to allow the users to fetch access control information from a running
CodeChecker server by using the CodeChecker cmd permissions subcommand.

Analyze improvements / fixes

  • Uplifting label file for clang 13 (#3485).
  • Add label files for sanitizers (#3471).
  • Add labels for compiler warnings (#3483).
  • Add labels for some supported report converters (#3484).
  • Fix check for response files (#3474).
  • Use -imacros flag instead of -macros (#3428).
  • Ignore -mfp16-format, -fmacro-prefix-map, -fno-defer-pop, -fstack-usage flags (#3433, #3445).
  • Add misra c guideline (#3489).
  • Removing cppcoreguidelines-virtual-class-destructor from the profiles (#3494).

CLI / Server improvements / fixes

  • Add confidentiality classification to the product config (#3405)
  • Jump to checker docs automatically (#3455).
  • Support newline in analysis info (#3490).
  • Fix run name link in report info (#3477).
  • Fix console error on reports page (#3478).
  • Fix weird file path filter (#3479).
  • Fix getting checker labels for 'unknown' analyzer (#3491).
  • Change required permission to view access for some API request (#3440).
  • Fix getting git commit url (#3453).
  • Update blame info (#3488).

Other improvements / fixes.

  • Refactoring code for sarif support (#3462).
  • Fix duplication warning when collecting blame info (#3446).
  • Upgrade mkdocs to 1.2.3 (#3472).
  • Use clang-13 in the CI, uplift tests accordingly (#3475).
  • Add github action to publish snap package (#3492).
  • Install common requirements on venv_dev target (#3493).
  • Mention venv_dev target in the main readme file (#3480).
  • Do not skip building the UI code when creating a pypi package (#3461).
  • Small typo fix (#3434)

For more information check the milestone.

codechecker - v6.17.0

Published by csordasmarton about 3 years ago

New features

Git blame integration (#3398, #3423, #3425, #3430)

With this feature it will be possible for a developer to check who modified the source line last where a CodeChecker error appears.

  • If the project which was analyzed is a git repository CodeChecker store command will store blame information for every source files which are not stored yet.
  • The GUI will have a button on the report detail view to show blame information alongside the source file.
  • Hovering the mouse over a blame line, commit details will be shown in a pop-up window. Clicking on the hash will jump to the remote url of the repository and shows the commit which related to a blame line.

image

Cleanup plans (#3419)

Cleanup plans can be used to track progress of reports in your product. The conception is similar to the github Milestones.

You can do the following:

  • Managing cleanup plans: you can create cleanup plans by clicking on the pencil icon at the Cleanup plan filter on the Reports page. A pop-up window will be opened where you can add, edit, close or remove existing cleanup plans.
  • Add reports to a cleanup plan: you can add multiple reports to a cleanup plan on the Reports page or on the Report detail page by clicking to the Set cleanup plan button and selecting a cleanup plan.
    Note: you can remove reports from a cleanup plan the same way by clicking on the cleanup plan name.
  • Filter reports by cleanup plans: you can filter reports by a cleanup plan by using the Cleanup plan filter on the Reports page. Using this filter with other filters (Detection status, Review status etc.) you will be able to filter active / resolved reports in you cleanup plan.

image
image

Local diff workflow support (#3388)

If you want to use CodeChecker in your project but you don't want to run a CodeChecker server and to fix every reports found by CodeChecker for the first time (legacy findings) with this feature you can do the following:

  1. Analyze your project to a report directory as usual (e.g.: ./reports).
  2. Create a baseline file from the reports which contains the legacy findings: CodeChecker parse ./reports -e baseline -o reports.baseline. Note: it is recommended to store this baseline file (reports.baseline) in your repository.
  3. On source code changes after your project is re-analyzed use the CodeChecker diff command to get the new reports:
    CodeChecker cmd diff -b ./reports.baseline -n ./reports --new
  4. On configuration changes (new checkers / options are enabled / disabled, new CodeChecker / clang version is used, etc.) re-generate the baseline file (step 1-2).

LeakSanitizer Parser (#3368, #3375)

The report-converter tool is extended with LeakSanitizer which is a run-time memory leak detector for C programs.

# Compile your program.
clang -fsanitize=address -g lsan.c

# Run your program and redirect the output to a file.
ASAN_OPTIONS=detect_leaks=1 ./a.out > lsan.output 2>&1

# Generate plist files from the output.
report-converter -t lsan -o ./lsan_results lsan.output

# Store reports.
CodeChecker store ./lsan_results -n lsan

For more information see.

Checker label (#3233, #3413, #3414, #3415, #3432)

Previously the properties of checkers (severity, profile, guideline) are read from several JSON files. The goal was to handle all these and future properties of checkers in a common manner. This new solution uses labels which can be added to checkers.

The collection of labels is found in config/labels directory. The goal of these labels is that you can enable or disable checkers by these labels.

# List checkers in "sensitive" profile.
CodeChecker checkers --label profile:sensitive

# List checkers in "HIGH" severity.
CodeChecker checkers --label severity:HIGH

# List checkers covering str34-c SEI-CERT rule.
CodeChecker checkers --label sei-cert:str-34-c

# List checkers covering all SEI-CERT rules.
CodeChecker checkers --label guideline:sei-cert

# List available profiles, guidelines and severities.
CodeChecker checkers --profile
CodeChecker checkers --guideline
CodeChecker checkers --severity

# List labels and their available values.
CodeChecker checkers --label
CodeChecker checkers --label severity

# Enable HIGH checkers during analysis.
CodeChecker analyze \
  ./compile_commands.json \
  -o ./reports
  -e severity:HIGH

Note: with this new feature we also added severity levels for pylint (#3414) and cppcheck (#3415) analyzers.

Analyze improvements / fixes

  • Allow to override checker list (#3203).
  • Handle clang binary without installed dir (#3186).
  • Don't hardcode GCC in build-logger Makefile (#3352).
  • Improve debug log messages (#3361).
  • Remove the MallocOverflow checker from the sensitive profile (#3392).
  • Add the MallocOverflow checker to the extreme profile (#3400).
  • Create new diagnostic message hash (#3402).
  • Build log transformer: also ignore -fno-reorder-functions (#3411).
  • Don't run ClangSA checkers from clang-tidy (#3417).

CLI (parse, diff, etc.) improvements / fixes

  • Parse command exits with error in case of duplicated suppress comment (#3253).
  • Make parse subcommand to work with --skip option correctly (#3328).
  • Log options from the configuration file (#3341).
  • Do not print sensitive information when exception happens (#3355).
  • Add severity to CodeClimate export (#3356).
  • Improve log messages for gerrit output (#3374).
  • Fix gerrit output (#3378).
  • Fix check command config file support (#3385).

Server improvements / fixes

  • Use processes instead of threads (#3349).
  • Product View Permission (#3332).
  • Add index for report and run history id columns (#3351).
  • Unzip storage zip file to workspace directory (#3347).
  • Log run id when storing a run (#3358).
  • Comment date collision (#3360).
  • Fix exporting checker statistics to CSV (#3362).
  • Rephrase "report not found" error message (#3376)
  • Create columns for product details (#3382).
  • Fix setting analysis_info_id_seq (#3383).
  • Add 'thrift==0.13.0' dependency explicitly (#3389, #3394).
  • Show edit option only for admins (#3426).

Other improvements fixes.

  • Add local package to git automatically and refactore the doc (#3319).
  • Fix pypi package github action (#3344).
  • include package data files in python package (#3357).
  • Remove doxygen requirement (#3346).
  • Update checker_and_analyzer_configuration.md (#3350).
  • Web docker image hooks (#3359).
  • Add wait-for script to the docker image (#3364).
  • Change permission of helper script in docker image (#3365).
  • Usage of skip list handler is not optional anymore (#3366).
  • Fix broken alembic urls (#3390).
  • Documentation for Pypi package (#3391).
  • Add the severity for "readability-identifier-length" (#3403).
  • Override argparse error code (#3408).
  • Extend documentation with multi storage feature (#3420).
  • Test workspace is not necessarily under HOME (#3421).
  • Add the license file to the pypi package (#3422).
  • Add new features for 6.16.0 and 6.17.0 releases (#3427).
codechecker - v6.16.0

Published by csordasmarton over 3 years ago

New features

PyPI package support (#3251, #3301).

PyPI is the most commonly used central repository for Python packages. For this reason from this release we will provide an official PyPI package for CodeChecker. This PyPi package can be easily installed on both Unix and Windows based systems easily by using the pip command: pip install codechecker.

Add compilation database generator for Bazel (#3226, #3284).

CodeChecker was extended with a tool that can capture compilation database of a Bazel built product without actually performing compilation. For more information see.

Exporter/importer command for CodeChecker cmd (#3116)

New command line options are introduced (CodeChecker cmd export and CodeChecker cmd import) which can be used to export comments and review status for a particular run in a JSON based format from a running CodeChecker server and import it to another server.

# Export data from one server.
CodeChecker cmd export -n myrun \
  --url https://first-server.codechecker.com:443 2>/dev/null | python -m json.tool > myrun_export.json

# Import data to another server.
CodeChecker cmd import -i myrun_export.json  --url https://second-server.codechecker.com:443

Sparse and Cpplint analyzers support (#3160, #3248).

The report-converter tool was extend with two more analyzers:

  • Sparse which is a semantic checker for C programs; it can be used to find a number of potential problems with kernel code.
  • CppLint which is a lint-like tool which checks C++ code against Google C++ Style Guide.

For more information see.

Analyze improvements / fixes

  • Set parse subcommand exit code to 2 when any report exist (#3313).
  • Use maximum CPU resources by default during analysis (#3249).
  • Generate reproducer (#3324).
  • Enable the build logger fix for CR and LF by default (#3310).
  • Fix ccache compiler detection (#3204).
  • Adding severities for checkers (#3218, #3337).
  • Remove some code duplication from CodeChecker check command (#3217).
  • Add altera-unroll-loops to the list of checkers (#3266).
  • Adding cert checkers to sensitive profile (#3338).
  • Relative include paths to --sysroot (#3259).
  • Handle getting options for old analyzer version (#3297).
  • Fix logger compilation warnings (#3305).
  • Fix yaml dumper (#3331).

CLI (parse, diff, etc.) improvements / fixes

  • Fix storage of multiple report directory (#3263, #3281, #3339).
  • Fix creating session file (#3212).
  • Handle no mandatory env var when using gerrit output (#3196).
  • Handle invalid proxy settings (#3198).
  • Fix for SpotBugs Report Conveter with Plugins (#3262).
  • Use codechecker_report_hash module (#3270, #3317).

Server improvements / fixes

  • Cleanup unused data (comments, review statuses) (#3243).
  • Add analyzer commands for reports (#3320, #3336).
  • Add documentation link to the bug report (#3330).
  • Fix failed files uniqueing on the statistics page (#3285).
  • Allow to change the outstanding reports chart resolution (#3179).
  • Change granularity for Number of outstanding reports chart (#3036).
  • Faster query for reports (#3316).
  • Fix quotes in system comments (#3094).
  • Add button to copy file path (#3176).
  • Close filter settings on apply (#3178).
  • Run filter is not working for the new reports at the Product overview statistics (#3035).
  • Use textarea at source component description (#3190).
  • Show review status selector even if status change is disabled (#3195).
  • Highlight row in code editor on hover event (#3224).
  • Highlight report on the scrollbar (#3225).
  • Get CodeChecker API version automatically in webpack (#3265).
  • Move generated API stubs to the repo (#3268, #3288).
  • Workaround for SQLite limitation in severity change (#3282).
  • Permission checking compares auth. names in case insensitive… (#3279)

Other improvements fixes.

  • Scrollable sidebar at plist2html (#3327).
  • Version upgrades (#3211, #3034, #3252, #3333).
  • Add coverage for unit tests (#3315).
  • Add type hints (#3215, #3216, #3214, #3280).
  • Use Python3 enums (#3291).
  • Use python3 new style classes (#3290).
  • Documentation updates (#3222, #3246, #3261, #3292, #3295, #3302).
  • Performance test improvement (#3278, #3287, #3289, #3325).
  • Use singleton when creating context objects (#3193).
  • Fix non existen report directory test (#3250).
  • Fix unused import (#3264).
  • Compile test project with c++11 explicitly (#3283).
  • Add semicolon to web Makefile (#3298).
  • Ignore errors when removing workspace directories (#3300, #3329).
  • Refactor process runner function (#3307).
  • Enable cyclic-import and consider-iterating-dictionary checks (#3314).
  • Fix running tu_collector test target (#3334).
codechecker - v6.15.2

Published by csordasmarton over 3 years ago

❗ ❗ ❗ Non-backward compatible changes ❗ ❗ ❗

  • When a checker name and the alias of this checker is turned on, Clang Tidy (>=v11) will generate only one report where the checker names are concatenated with , mark (e.g.: cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers). Unfortunately in previous CodeChecker releases we didn't handle this use case properly and we generated only one report from it. We changed this behaviour in #3238 so multiple reports will be generated for each checker name / alias if both are enabled.

  • From this release, the CodeChecker analyze command will indicate only the success and failure of analysis by zero and non-zero exit codes respectively. Before, the analysis subcommand returned with 2, if there was any report in the analysis. Form this release, it will return with 0, if the analysis was successful irrespectively of the number of reports.
    The CodeChecker parse and CodeChecker cmd diff subcommand will return with value 2 if there is at least one (not suppressed) report in the result set (#3232, #3255).

    The return values of the subcommands is as follows:

    • CodeChecker analyze:
      0 - Successful analysis
      1 - CodeChecker error
      3 - Analysis of at least one translation unit failed
      128+signum - Terminating on a fatal signal whose number is signum

    • CodeChecker parse
      0 - No report
      1 - CodeChecker error
      2 - At least one report emitted by an analyzer

    • CodeChecker check
      0 - No report
      1 - CodeChecker error
      2 - At least one report emitted by an analyzer
      3 - Analysis of at least one translation unit failed
      128+signum - Terminating on a fatal signal whose number is signum

    • CodeChecker cmd diff
      0 - No difference between baseline and newrun
      1 - CodeChecker error
      2 - There is at least one report difference between baseline and newrun

Analyze improvements / fixes

  • Fix target attribute of the log parser (#3184).
  • Fix parsing clangsa analyze help (#3206).
  • Fix ccache compiler detection (#3204).
  • Handle no analyzer use cases (#3194).
  • Fix cleanup metadata (#3192).
  • Expose --supress option to the check sub-command (#3231).
  • Fix duplication warning when creating failed zip (#3213).
  • Handle Clang Tidy aliases in plist files (#3238).
  • Removing noisy checkers from the sei-cert guideline (#3256).

CLI (parse, diff, etc.) improvements / fixes

  • Change exit codes (#3232, #3255).
  • Fix file path in codeclimate output (#3202).
  • Fix source content change error when diffing remote runs (#3191).
  • Handle suppression properly in diff command (#3189).
  • Fix for the SpotBugs report converter (#3237, #3247).
  • Improve error message when cmd diff fails on user input (#3240).

Server improvements / fixes

  • Configure keepalive (#3167).
  • Wrap bugstep messages (#3177).
  • Fix database status in product name column (#3185).
  • Set filter properly when clicking on the diff count in the statistics page (#3230).
  • Fix getting analysis statistics (#3229).

Other fixes

  • Fix context of the docker github action (#3181).
  • fix run_codechecker.sh (#3234).
Package Rankings
Top 6.91% on Pypi.org
Top 8.17% on Proxy.golang.org
Top 8.57% on Npmjs.org
Top 25.97% on Conda-forge.org